This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Exposing multiple CloudRun services through IAP (SPA + API Server)

Posted on 04-27-2023 03:33 AM
calex
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

We have two cloudrun services: 

  • The first is a service that hosts a webpage (SPA) that runs on the client browser
  • The second is a service that hosts APIs currently running on .NET

The webpage invokes the APIs on the second service to render the UI.

We want to implement IAP authentication on both services, so that we can expose them securely.

Basically we want to authenticate the user when he opens the webpage, then use the IAP token to make the necessary API calls to the other cloudrun service that hosts the APIs.

Are there any guidelines for this kind of implementation?

Greatly appreciated!

1 2 812
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
anjelisa
Staff
Reply posted on --/--/---- --:-- AM

Hi @calex,

Welcome to Google Cloud Community!

You can enable IAP for your cloud run services to enforce access control policies for your application and properly secure it. You may refer to this documentation to know the limitations and guide you need in implementing IAP.

You may also look into IAP-authenticated user identity or getting user's identity to verify that a request came through IAP.

Check also,  the use of IAP as an authentication proxy, which enforces authentication to all incoming requests and redirects the request to YOUR_APP_URL after successful authentication.

Hope this helps.

0 Likes

Posted on --/--/---- --:-- AM
ricardop17
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

First of all thanks for your answer! However we are still having some issues on this matter...

Do you have any recommended approach in order to fetch the IAP token from a SPA (a react app in our case) ? 

I tried two different approaches so far (unfortunately both with no success) :

1. Using library 'google-auth-library':

This is the library recommended in the node.js code section of this article - https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account

However this library seems that it's not prepared to run "browser-side", since when I try to create a TokenIdClient from it (auth.getIdTokenClient(targetAudience) I get some errors that indicate that this code is only meant to run server-side and not in a browser environment.

2. Using GAPI (Google API client for Javascript)

In this case when I try to load an auth2 instance using the corresponding target oauth2 client id, I get an origins problem:

"Not a valid origin for the client: {...} has not been registered for client ID {...}.apps.googleusercontent.com. Please go to https://console.developers.google.com/ and register this origin for your project's client ID."

The final goal is to use this token to send authorized requests to the backend API (also protected by IAP). Can you give some advice here ? 

Thanks in advance!

0 Likes